SikurdHelp
Open Sikurd

Data & security FAQ

What we store, how it's encrypted, who can see what.

For the full security posture see trust.sikurd.com. Quick answers below.

What data does Sikurd store?

  • Instance metadata — FQDN, name, version, license info, group.
  • Poll snapshots — every poll's Metric row (active calls, extensions registered, etc.) for ~90 days.
  • Backup history — timestamps + sizes + success/failure for each backup attempt the 3CX reported.
  • Alerts — every alert + resolution timestamp.
  • Audit log — every UI / API action with actor.
  • Encrypted credentials — your 3CX admin password (AES-256-GCM).
  • User accounts — name, email, hashed password (bcrypt rounds=12).

What don't we store?

  • Call audio — we never download or record call media.
  • 3CX user PII — extension names / emails from your 3CX are not pulled into Sikurd's DB.
  • Card / bank details — handled by Stripe; we never touch them.

Where is my data hosted?

  • App: Vercel (US-East primary).
  • Database: managed Postgres in US-East.
  • Worker: Railway US-East.

EU residency is on the Enterprise roadmap; reach out if that's a requirement.

Encryption

  • In transit: TLS 1.2+ everywhere.
  • At rest: Postgres column-level AES-256-GCM for sensitive fields (3CX admin passwords, PSA secrets). Stripe holds card data.
  • Session cookies: __Secure- prefix, httpOnly, Secure, SameSite=Lax.

Data retention

  • Metric history — 90 days.
  • Alerts — kept indefinitely as part of audit history.
  • Backup records — kept indefinitely.
  • Deleted instances — 30 days then permanently removed.
  • Logs — 30 days on Vercel + Railway side.

Can I export my data?

CSV export available from the dashboard for instances, alerts, and reports. Full data export (everything we have on your tenant) is available on request — email help@sikurd.com.

Account deletion

Email help@sikurd.com to delete your tenant. We confirm via the account email, then hard-delete within 7 days. Stripe customer record is closed in parallel.

Compliance

  • GDPR — yes (we have a DPA available; request via Trust Center).
  • SOC 2 Type II — in progress.
  • HIPAA — not certified; do not store PHI.

Sub-processors

Listed at trust.sikurd.com/security/sub-processors. Includes: Vercel, Railway, Stripe, SendGrid, Anthropic (Claude), ElevenLabs (TTS), Dialora (AI voice), Mintlify (this site).